Set up authentication for the on-premises or any cloud edition of ABAP SDK for Google Cloud

This document describes how to authenticate to Google Cloud from the on-premises or any cloud edition of ABAP SDK for Google Cloud.

Applications developed using the ABAP SDK for Google Cloud require authentication to connect to Google Cloud APIs. The SDK enables the usage of Google Cloud recommended best practices for authentication.

For authentication and authorization to access Google Cloud APIs, the SDK mainly uses tokens. In addition, the SDK also supports API keys to authenticate to Google Cloud APIs that use API keys.

Depending on the Google Cloud APIs that you need to access, the environment where your SAP system is hosted, and the security requirements of your SAP system, you can choose an appropriate authentication type. The following table summarizes supported authentication types based on the hosting location of your SAP system:

SAP system location Authentication type Instructions
SAP RISE, regardless of where the servers are hosted JSON Web Token (JWT) Authenticate using JSON Web Tokens (JWT)
SAP system hosted on Compute Engine VM Access tokens Authenticate using access tokens
SAP system hosted outside Google Cloud JSON Web Token (JWT) Authenticate using JSON Web Tokens (JWT)
Access tokens Authenticate using tokens through Workload Identity Federation

Authentication to Google Cloud APIs using API keys

Only a few Google Cloud APIs use API keys for authentication, for example, Google Maps Platform. Review the authentication documentation for the service or API that you want to use to determine whether it supports API keys. Regardless of where your SAP system is hosted, you can use API keys for authentication as long as the API that you want to use supports API keys.

To authenticate to Google Cloud API using API keys, use one of the following methods:

Authentication to Google Workspace APIs using OAuth 2.0 client credentials

To access Google Workspace APIs, you can use OAuth 2.0 client credentials. OAuth 2.0 client credentials let you retrieve a token in the context of an end user, such as a token required to access Google Sheets. Regardless of where your SAP system is hosted, you can use OAuth 2.0 client credentials for authentication to Google Workspace APIs as long as the system supports OAuth 2.0.

For information about setting up authentication to Google Workspace APIs, see Authenticate to Google Workspace APIs using OAuth 2.0 client credentials.

Authenticate using access tokens

This section shows how to set up authentication to access Google Cloud APIs using tokens when your SAP system is hosted on a Compute Engine VM instance.

  1. In the Google Cloud console, enable the IAM Service Account Credentials API for your Google Cloud project that requires authentication. Along with the IAM Service Account Credentials API, you need to enable any other supported APIs that you plan to access using the SDK.

    Go to API library

    For information about how to enable Google Cloud APIs, see Enabling APIs.

  2. In the Google Cloud console, create an IAM service account for the host VM instance.

    Go to Service accounts

    For information about how to create a service account, see Create a service account.

  3. Grant the Service Account Token Creator role to the service account. For instructions, see Grant a single role.

  4. Attach the service account to the VM instance where your SAP workload is running. Also, set the VM's access scope to cloud-platform.

    • If you specify the service account by using the Google Cloud console, then the VM's access scope automatically defaults to the cloud-platform scope.

    • If you specify the service account by using the Google Cloud CLI or the Compute Engine API, then you need to set the API access scope to Allow full access to all Cloud APIs.

      For instructions, see Create a VM and attach the service account.

      After updating the scope, restart the VM. If you have multiple VM instances for the same SAP installation, then you must complete this step on all those VM instances.

  5. In the Google Cloud console, create a dedicated IAM service account to access Google Cloud APIs.

    Go to Service accounts

    For instructions, see Create a service account.

  6. Grant the service account the required IAM roles to access the API functionality. To understand the role requirement for Google Cloud APIs, see the individual API documentation and follow the principle of least privilege. For more information about API specific predefined roles, see IAM basic and predefined roles reference.

  7. If you created the service account in a different project than the project that contains the Google Cloud APIs, then you must perform additional steps for the service account setup. For more information, see Set up service accounts in a cross-project environment.

  8. In the SAP system, configure the client key:

    1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

      Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

    2. Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.

    3. Click New Entries.

    4. Enter values for the following fields:

      Field Description
      Google Cloud Key Name Specify a name of the client key configuration. For example, TEST_PUBSUB.
      Google Cloud Service Account Name

      Specify the name of the service account to which you have granted permissions to access Google Cloud APIs. For example, sap-example-svc-acct@example-project-123456.iam.gserviceaccount.com.

      If the host VM of your SAP system that contains the SDK is in a different project than the one with the Google Cloud APIs enabled, then specify the service account which is used for accessing Google Cloud APIs. For more information, see Set up service accounts in a cross-project environment.
      Google Cloud Scope Specify the API access scope, https://www.googleapis.com/auth/cloud-platform.
      Google Cloud Project Identifier Specify the ID of the Google Cloud project that contains your target APIs.
      Command name Leave this field blank.
      Authorization Class Specify the authorization class, /GOOG/CL_AUTH_GOOGLE.
      Token Caching

      The flag that determines whether or not the access tokens retrieved from Google Cloud are cached.

      We recommend that you enable token caching after you are done configuring and testing your connection to Google Cloud. For more information about token caching, see Enable token caching.
      Token Refresh Seconds The amount of time, in seconds, before an access token expires and must be refreshed. The default value is 3500.
      Authorization Parameter 1 Leave this field blank.
      Authorization Parameter 2 Leave this field blank.

    5. Save the new entry.

  9. In the SAP system, create new RFC destinations for the APIs that you plan to consume using the ABAP SDK for Google Cloud.

    For information about creating RFC destinations, see RFC destinations.

  10. In the SAP system, configure the service mapping table for IAM API, and other APIs that you plan to consume using the ABAP SDK for Google Cloud.

    1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

      Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

    2. Click ABAP SDK for Google Cloud > Basic Settings > Configure Service Mapping.

    3. Click New Entries.

    4. Specify RFC destinations for IAM API and other APIs, for example, Pub/Sub API v1.

      Name Service Name RFC Destination
      Google Cloud Key Name iamcredentials.googleapis.com ZGOOG_IAMCREDENTIALS
      Google Cloud Key Name pubsub:v1 ZGOOG_PUBSUB_V1

    5. Save the new entry.

  11. In the SAP system, validate the authentication configuration. For more information, see Validate authentication configuration.

Set up service accounts in a cross-project environment

The host VM of your SAP system, which contains the SDK, can be in a different Google Cloud project than the one with the Google Cloud APIs enabled. In this case, you must set up service accounts with the required IAM roles so that the SDK can access the APIs from the different project.

The following table shows an example of service account setup for cross-project API access.

Environment SAP host VM Google Cloud APIs
Google Cloud project project-sap-host project-google-apis
Service account assigned to the SAP host VM sa-sap-host@project-sap-host.iam.gserviceaccount.com N/A
Service account for accessing Google Cloud APIs sa-google-apis@project-sap-host.iam.gserviceaccount.com N/A
IAM roles for the service account In the project project-sap-host, grant the service account sa-sap-host@project-sap-host.iam.gserviceaccount.com Service Account Token Creator role. In the project project-google-apis, add the service account sa-google-apis@project-sap-host.iam.gserviceaccount.com as a principle and grant the service account appropriate roles to connect to the Google Cloud APIs.

To set up the service accounts, perform the following steps:

  1. In the Google Cloud project that contains your SAP host VM, grant the service account of the SAP host VM, the Service Account Token Creator role. For more information about the steps, see Grant a single role.
  2. In the Google Cloud project that contains your SAP host VM, create a service account. Note the name of the service account. You specify this name when you add the service account as a principle to the other project that contains the Google Cloud APIs.

  3. In the other project that contains the Google Cloud APIs, add the service account as a principle and grant appropriate roles to connect to the Google Cloud APIs.To add a service account to the Google Cloud project that contains the Google Cloud APIs, perform the following steps:

    1. In the Google Cloud console, go to the IAM Permissions page:

      Go to IAM permissions

    2. Confirm that the name of the project that contains the target Google Cloud APIs is displayed near the top of the page. For example:

      Permissions for project "PROJECT_NAME"

      If it is not, then switch projects.

    3. On the IAM page, click Grant access. The Grant access to "PROJECT_NAME" dialog opens.

    4. In the New principals field, specify the name of the service account.

    5. In the Select a role field, specify a relevant role. For example, for Pub/Sub, to modify topics and subscriptions, and access to publish and consume messages, you can specify the role Pub/Sub Editor (roles/pubsub.editor).

      For more information about API specific predefined roles, see IAM basic and predefined roles reference.

    6. Add additional roles as required for your API usage. Implement Google recommended best practices by applying the principle of least privilege.

    7. Click Save. The service account appears in the list of project principals on the IAM page.

Authenticate using JSON Web Tokens (JWT)

This section shows how to set up authentication to access Google Cloud APIs using a token when your SAP system is running on a host that is on premises, on another cloud provider, in another environment outside of Google Cloud, or managed by SAP through the SAP RISE program.

For authentication to Google Cloud, you use Google Cloud signed JSON Web Tokens (JWT) to obtain access tokens from Google Cloud.

The high-level configuration steps are as follows:

Create a service account for JWT based token retrieval

For JWT based authentication to Google Cloud, ABAP SDK for Google Cloud needs an IAM service account.

Create a service account

In the Google Cloud console, create an IAM service account for JWT based token retrieval, and grant the service account the Service Account Token Creator.

Go to Service accounts

For information about how to create a service account, see Create a service account.

Create a service account key

You need to create a P12 service account key for the service account used for JWT based token retrieval.

To create a service account key, perform the following steps:

  1. In the Google Cloud console, go to the IAM & Admin Service accounts page.

    Go to Service accounts

  2. Select your Google Cloud project.

  3. Click the email address of the service account that you created for JWT based token retrieval in the previous section, Create a service account.

  4. Under the service account name, click the Keys tab.

  5. Click the Add Key drop-down menu, and then select Create new key to create a service account key.

  6. Accept P12 as the key type and click Create.

    A private key is downloaded to your computer.

  7. Make a note of the password for the private key file, notasecret.

    Provide the private key and password to your SAP administrator to import the private key into STRUST, as described in Import the service account key into STRUST.

Specify the service account for JWT signing

If you created the service account for JWT signing in a different project than the project that contains the Google Cloud APIs, then you need to specify the service account on the SAP host system.

If you created the service account in the same project that contains the Google Cloud APIs, then you can skip this step.

To specify the service account for JWT signing, perform the following steps:

  1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

    Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

  2. Click ABAP SDK for Google Cloud > Basic Settings > Configure Parameters.

  3. Click New Entries.

  4. In the Parameter Name field, enter JWT_SERVC_ACCT. The parameter description is automatically populated.

  5. In the Parameter Value field, enter the name of the service account.

  6. Save the new entry.

Configure security settings for Google Cloud on the SAP host system

To enable JWT signing for the service account that you created for JWT based token retrieval, you need to configure security settings for Google Cloud on the SAP host system.

Create a new Secure Store and Forward (SSF) Application

Each SSFAPPLIC entry lets you save a single service account key. To save service account keys for multiple projects, you need to create multiple SSFAPPLIC entries by following the same steps.

To create a new entry in the table SSFAPPLIC, perform the following steps:

  1. In the SAP GUI, enter transaction code SE16.
  2. In the Table Name field, enter SSFAPPLIC, and create a new entry.
  3. In the APPLIC field, enter a name for your SSF application, such as ZG_JWT.
  4. Except the B_INCCERTS, B_DETACHED, B_ASKPWD, and B_DISTRIB fields, select all other fields.
  5. In the DESCRIPT field, enter JWT Signature for GCP.

  6. Save the new entry.

    This entry becomes a new node in transaction STRUST, where you import the service account key.

Enable the STRUST node

Use transaction SSFA to enable the STRUST node for JWT Signature for GCP.

To enable the STRUST node, perform the following steps:

  1. In the SAP GUI, enter transaction code SSFA.
  2. Click New Entries.

  3. In the SSF Application drop-down list, select JWT Signature for GCP. This is the new entry that you created in the table SSFAPPLIC.

    The application specific SSF parameters are automatically populated.

  4. Save the new entry.

    A new node SSF JWT Signature for GCP is enabled in transaction STRUST.

Import the service account key into STRUST

To import the service account key into STRUST, perform the following steps:

  1. In the SAP GUI, enter transaction code STRUST.

    Verify the new node in transaction STRUST is SSF JWT Signature for GCP.

  2. Import the private key file:

    1. Select PSE > Import from the menu bar.
    2. Depending on your SAP system, select the appropriate private key:
      • SAP S/4HANA
        1. Select the P12 private key.
        2. Enter the file password notasecret, and then click OK.
      • SAP ECC
        1. Select the PSE private key. You need to convert the P12 private key that you downloaded earlier into a PSE private key. For more information about converting a P12 key into a PSE key, see Convert P12 key into PSE key.
        2. Enter the file PIN that you created during the private key conversion from P12 key to PSE key, and then click OK.

  3. Select PSE > Save as.

  4. Select SSF Application, and in the corresponding input field, select the new SSF Application node that you created in Create a new Secure Store and Forward (SSF) Application.

  5. Save the new entry.

    The service key is attached to the SSF application node SSF JWT Signature for GCP.

Convert the P12 private key into PSE key

If your SAP system is SAP NetWeaver 7.0x (SAP ECC), then you need to convert the P12 key into a PSE key.

To convert the P12 key into a PSE key, perform the following steps:

  1. Go to the path: 

    /usr/sap/SID/SYS/exe/run/

    Replace SID with the SAP system ID.

  2. Run the following command after replacing the placeholders: 

    sapgenpse import_p12 -p PSE_PATH_AND_FILE_NAME P12_PATH_AND_FILE_NAME.p12

    Replace the following:

    • PSE_PATH_AND_FILE_NAME: specify the path and filename for the PSE file
    • P12_PATH_AND_FILE_NAME: specify the path and filename for the P12 key file

  3. Enter the password of P12 private key file, notasecret.

  4. Create a new PIN for the PSE private key and re-enter your PIN.

  5. Make a note of the PIN, you need to provide this PIN when importing the PSE private key file into STRUST.

For information from SAP about about how to convert a P12 key into a PSE key, see:

Enable the Google Cloud APIs

In the Google Cloud console, enable theIAM Service Account Credentials API for your Google Cloud project that requires authentication. Along with the IAM Service Account Credentials API, you need to enable any other supported APIs that you plan to access using the SDK.

Go to API library

For information about how to enable Google Cloud APIs, see Enabling APIs.

Create a service account for authorization to access Google Cloud APIs

For authentication and authorization to access Google Cloud APIs, the ABAP SDK for Google Cloud needs an IAM service account.

Create a service account

In the Google Cloud console, create an IAM service account. This service account must be a principal in the Google Cloud project that contains the Google Cloud APIs that you plan to consume using the SDK. If you create the service account in the same project that contains the Google Cloud APIs, then the service account is added as a principal to the project automatically.

If you create the service account in a project other than the project where the Google Cloud APIs are enabled, then you need to add the service account to that project in an additional step.

  1. In the Google Cloud console, create an IAM service account for authentication and authorization to access Google Cloud APIs.

    Go to Service accounts

    For information about how to create a service account, see Create a service account.

  2. In the Google Cloud console, grant the service account the required IAM roles to access the API functionality. To understand the role requirement for Google Cloud APIs, see the individual API documentation and follow the principle of least privilege. For more information about API specific predefined roles, see IAM basic and predefined roles reference.

  3. If you created the service account in a different project than the project that contains the Google Cloud APIs that you plan to consume using the SDK, then note the name of the service account. You specify the name when you add the service account to that project. For more information, see Add the service account to the Google Cloud project.

Add the service account to the Google Cloud project

If you created the service account for ABAP SDK for Google Cloud in a project other than the project that contains the Google Cloud APIs that you plan to consume using the SDK, then you need to add the service account to the Google Cloud project that contains the Google Cloud APIs.

If you created the service account in the same project that contains the Google Cloud APIs, then you can skip this step.

To add an existing service account to the Google Cloud project that contains the Google Cloud APIs, perform the following steps:

  1. In the Google Cloud console, go to the IAM Permissions page:

    Go to IAM permissions

  2. Confirm that the name of the project that contains the target Google Cloud APIs is displayed near the top of the page. For example:

    Permissions for project "PROJECT_NAME"

    If it is not, then switch projects.

  3. On the IAM page, click Grant access. The Grant access to "PROJECT_NAME" dialog opens.

  4. In the Grant access to "PROJECT_NAME" dialog, perform the following steps:

    1. In the New principals field, specify the name of the service account.

    2. In the Select a role field, specify a relevant role. For example, for Pub/Sub, to modify topics and subscriptions, and access to publish and consume messages, you can specify the role Pub/Sub Editor (roles/pubsub.editor).

      For more details about API specific predefined roles, see IAM basic and predefined roles reference.

    3. Add additional roles as required for your API usage. Implement Google recommended best practices by applying the principle of least privilege.

    4. Click Save. The service account appears in the list of project principals on the IAM page.

The service account can now be used to access Google Cloud APIs in this project.

Set up HTTPS connection

The SAP application server is required to connect to Google Cloud APIs through HTTPS.

On the SAP host, confirm that firewall rules or proxies are configured to allow egress traffic from the HTTPS port to the required Google Cloud APIs.

Specifically, your SAP system must be able to access the following API endpoints:

  • https://iamcredentials.googleapis.com
  • API endpoints for the APIs that you want to consume using the SDK.

Create SAP configurations

For JWT based authentication, create the required SAP configurations.

Specify access settings in the client key table

To specify the access settings, perform the following steps:

  1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

    Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

  2. Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.

  3. Click New Entries.

  4. Enter values for the following fields:

    Field Description
    Google Cloud Key Name Specify a name of the client key configuration.
    Google Cloud Service Account Name

    Specify the name of the service account, in email address format, that was created for ABAP SDK for Google Cloud in the step Create a service account. For example: sap-example-svc-acct@example-project-123456.iam.gserviceaccount.com.

    Google Cloud Scope Specify the access scope, https://www.googleapis.com/auth/cloud-platform.
    Project ID Specify the ID of the Google Cloud project that contains your target APIs.
    Command name Leave this field blank.
    Authorization Class Specify the authorization class, /GOOG/CL_AUTH_JWT.
    Authorization Field Leave this field blank.
    Token Refresh Seconds Leave this field blank.
    Authorization Parameter 1 Specify the name of the SSF application that you created in the section Create a new Secure Store and Forward (SSF) Application.

  5. Save the new entry.

Create new RFC destinations

Create RFC destinations for IAM API and other APIs that you plan to consume using the ABAP SDK for Google Cloud, for example, Pub/Sub API v1.

RFC destination name Notes
ZGOOG_IAMCREDENTIALS This RFC destination targets the IAM API .
ZGOOG_OAUTH2_TOKEN This RFC destination targets Google Cloud endpoint for token based authentication.
ZGOOG_PUBSUB_V1 This RFC destination targets the Pub/Sub API.

For information about creating RFC destinations, see RFC destinations.

Specify RFC destinations in the service mapping table

In the service mapping table, specify the RFC destinations for IAM API and other APIs that you plan to consume using the ABAP SDK for Google Cloud.

To specify the RFC destinations, perform the following steps:

  1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

    Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

  2. Click ABAP SDK for Google Cloud > Basic Settings > Configure Service Mapping.

  3. Click New Entries.

  4. Specify RFC destinations for IAM API and other APIs. For example:

    Name Service Name RFC Destination
    Google Cloud Key Name iamcredentials:v1 ZGOOG_IAMCREDENTIALS
    Google Cloud Key Name googleapis.com/oauth2 ZGOOG_OAUTH2_TOKEN
    Google Cloud Key Name pubsub.googleapis.com ZGOOG_PUBSUB_V1

  5. Save the new entry.

Authenticate using tokens through Workload Identity Federation

With Workload Identity Federation, you can grant on-premises or multicloud SAP workloads access to Google Cloud resources without using a service account key. You can use Workload Identity Federation with Amazon Web Services (AWS) or with any identity provider (IdP) that supports OpenID Connect (OIDC), such as Microsoft Azure or SAML 2.0.

Workload Identity Federation follows the OAuth 2.0 token exchange specification. You provide a credential from your IdP to the Security Token Service, which verifies the identity on the credential, and then returns a federated token in exchange. You can use this token to impersonate a service account and obtain a short-lived OAuth 2.0 access token. The short-lived access token lets you call any Google Cloud APIs that the service account has access to.

For authentication using tokens through Workload Identity Federation, the high-level configuration steps are as follows:

  1. Prepare your external IdP.
  2. In Google Cloud, configure Workload Identity Federation.
  3. In Google Cloud, create a service account.
  4. In Google Cloud, allow the external workload to impersonate the service account.
  5. In ABAP SDK for Google Cloud, implement ABAP code to retrieve security tokens from your IdP.
  6. In ABAP SDK for Google Cloud, configure client key.

Not all Google Cloud products support Workload Identity Federation. Before setting up authentication using Workload Identity Federation, review the list of supported products and limitations. For more information, see Workforce identity federation: supported products and limitations.

Prepare your external IdP

You need to prepare your IdP so that your SAP workload can obtain credentials that can be exchanged for a Google OAuth 2.0 security token.

To prepare your external IdP, perform the steps depending on your IdP:

Configure Workload Identity Federation

In Google Cloud, configure workload identity pool and providers.

You configure an identity pool, which is an entity that lets you manage external identities. You also configure a workload identity pool provider, which is an entity that describes a relationship between Google Cloud and your IdP.

To configure Workload Identity Federation, perform the steps depending on your external IdP:

Make a note of the following:

  • Project number: the project number of the Google Cloud project where you created the workload identity pool.
  • Pool ID: a unique ID that identifies the workload identity pool.
  • Provider ID: an ID that identifies the workload identity pool provider.

You need them for the ABAP SDK client key configuration.

Create a service account

In Google Cloud console, create a dedicated IAM service account to access Google Cloud APIs. This service account must be a principal in the Google Cloud project that contains the Google Cloud APIs that you plan to consume using the SDK.

  1. In the Google Cloud console, enable the IAM Service Account Credentials API, Security Token Service API, and any other supported APIs that you plan to access using the SDK.

    Go to API library

    For information about how to enable Google Cloud APIs, see Enabling APIs.

  2. Create a service account that represents the workload.

  3. Grant the service account the required IAM roles to access the API functionality. To understand the role requirement for Google Cloud APIs, see the individual API documentation and follow the principle of least privilege. For more information about API specific predefined roles, see IAM basic and predefined roles reference.

Allow the external workload to impersonate the service account

To allow the external workload to impersonate the service account, perform the steps depending on your external IdP:

Implement ABAP code to retrieve security tokens from your IdP

ABAP SDK for Google Cloud provides an abstract class /GOOG/CL_AUTH_WIF_BASE, which has the logic to retrieve OAuth 2.0 security tokens from the Security Token Service and OAuth 2.0 access tokens from the IAM Service Account Credentials API.

As a developer, you need to create a class in your namespace that inherits from the abstract class /GOOG/CL_AUTH_WIF_BASE. This class must implement the method GET_EXT_IDP_TOKEN and write the logic to get the security token from your IdP and populate the following fields:

  • CV_TOKEN: the token retrieved from your IdP in the string format.
  • CV_TOKEN_TYPE: the type of the security token retrieved from your IdP. The supported token types are:
    • urn:ietf:params:oauth:token-type:jwt
    • urn:ietf:params:oauth:token-type:id_token
    • urn:ietf:params:aws:token-type:aws4_request
    • urn:ietf:params:oauth:token-type:access_token
    • urn:ietf:params:oauth:token-type:saml2

The values populated in CV_TOKEN and CV_TOKEN_TYPE are then used by methods of the abstract class /GOOG/CL_AUTH_WIF_BASE to exchange and retrieve the final OAuth 2.0 token, which is used in the API calls.

The following example shows the sample implementations of method GET_EXT_IDP_TOKEN for other Cloud providers such as AWS and Azure.

AWS 

class ZCL_AUTH_WIF_AWS definition
  public
  inheriting from /GOOG/CL_AUTH_WIF_BASE
  final
  create public .

public section.

  types:
    BEGIN OF t_header_field,
      key type string,
      value TYPE string,
    END OF t_header_field .
  types:
    tt_header_field type STANDARD TABLE OF t_header_field WITH DEFAULT KEY .
  types:
    BEGIN OF t_token_request,
     url type string,
     method type string,
     headers type tt_header_field,
   END OF t_token_request .
protected section.

  methods GET_EXT_IDP_TOKEN
    redefinition .
private section.
ENDCLASS.



CLASS ZCL_AUTH_WIF_AWS IMPLEMENTATION.


METHOD get_ext_idp_token.
**********************************************************************
*  Copyright 2024 Google LLC                                         *
*                                                                    *
*  Licensed under the Apache License, Version 2.0 (the "License");   *
*  you may not use this file except in compliance with the License.  *
*  You may obtain a copy of the License at                           *
*      https://www.apache.org/licenses/LICENSE-2.0                   *
*  Unless required by applicable law or agreed to in writing,        *
*  software distributed under the License is distributed on an       *
*  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,      *
*  either express or implied.                                        *
*  See the License for the specific language governing permissions   *
*  and limitations under the License.                                *
**********************************************************************

  DATA: ls_key       TYPE /goog/client_key.

  /goog/cl_utility=>get_client_key( EXPORTING iv_keyname    = iv_keyname
                                        IMPORTING es_client_key = ls_key ).


  DATA: lv_awsdate TYPE string.

  DATA: lv_date         TYPE dats,
        lv_time         TYPE tims,
        lv_timestamp    TYPE timestampl,
        lv_tz_utc       TYPE timezone VALUE 'UTC',
        lv_awsts        TYPE string,
        lv_timechar(32) TYPE c.

  GET TIME STAMP FIELD lv_timestamp.

  CONVERT TIME STAMP lv_timestamp TIME ZONE lv_tz_utc INTO DATE lv_date TIME lv_time.
  MOVE lv_timestamp TO lv_timechar.
  CONDENSE lv_timechar.

  lv_awsdate = lv_date(4) &&
               lv_date+4(2) &&
               lv_date+6(2) &&
               'T' &&
               lv_time(2) &&
               lv_time+2(2) &&
               lv_time+4(2) &&
               'Z'.

  TRANSLATE lv_awsdate TO UPPER CASE.

  DATA: lv_lf TYPE string.
  DATA: lv_secret_key TYPE string.
  DATA: lv_accesskey TYPE string.
  DATA: lv_datepart TYPE string.
  DATA: lv_service TYPE string.
  DATA: lv_method TYPE string.

  lv_lf = cl_abap_char_utilities=>newline.
  lv_accesskey = '<Populate AWS Access Key>'.
  lv_secret_key = '<Populate AWS Secret Access Key>'.
  lv_datepart = lv_awsdate(8).
  lv_service = 'sts'.
  lv_method = 'GET'.


  DATA: lv_canonical_query_params TYPE string.
  DATA: lv_host TYPE string.
  DATA: lv_region TYPE string.
  DATA: lv_canonical_resource_path TYPE string.

  lv_canonical_query_params = 'Action=GetCallerIdentity&Version=2011-06-15'.
  lv_host = 'sts.amazonaws.com'.
  lv_region = '<Populate your AWS Region>'.   "Example: 'us-east-1'
  lv_canonical_resource_path = '/'.

  DATA: lv_canonical_header_names TYPE string.
  DATA: lv_canonical_headers TYPE string.

  lv_canonical_header_names = 'host;x-amz-date'.
  lv_canonical_headers = 'host:' && lv_host && lv_lf && 'x-amz-date:' && lv_awsdate && lv_lf.

  DATA: lv_canonical_request TYPE string.

  CONCATENATE lv_method lv_lf
              lv_canonical_resource_path lv_lf
              lv_canonical_query_params lv_lf
              lv_canonical_headers lv_lf
              lv_canonical_header_names
              INTO lv_canonical_request.

  DATA: lv_canonical_request_hash TYPE string.

  TRY.
      cl_abap_message_digest=>calculate_hash_for_char(
       EXPORTING
         if_algorithm = 'SHA-256'
         if_data = lv_canonical_request
       IMPORTING
         ef_hashstring = lv_canonical_request_hash ).
    CATCH cx_abap_message_digest.
      "Handle error
      RETURN.
  ENDTRY.

  TRANSLATE lv_canonical_request_hash TO LOWER CASE.

  DATA: lv_algorithm TYPE string.

  lv_algorithm = 'AWS4-HMAC-SHA256'.

  DATA: lv_credential_scope TYPE string.

  CONCATENATE lv_datepart '/' lv_region '/' lv_service '/' 'aws4_request' INTO lv_credential_scope.

  DATA: lv_string_to_sign TYPE string.

  CONCATENATE lv_algorithm lv_lf
              lv_awsdate lv_lf
              lv_credential_scope lv_lf
              lv_canonical_request_hash
              INTO lv_string_to_sign.

  DATA: lv_awskey TYPE string.

  CONCATENATE 'AWS4' lv_secret_key INTO lv_awskey.

  DATA: lv_ksecret TYPE xstring.

  TRY.
      lv_ksecret = cl_abap_hmac=>string_to_xstring( lv_awskey ).
    CATCH cx_abap_message_digest .
      "Handle error
      RETURN.
  ENDTRY.

  DATA: lv_kdate  TYPE xstring.
  TRY.
      cl_abap_hmac=>calculate_hmac_for_char(
        EXPORTING
           if_algorithm = 'SHA256'
           if_key = lv_ksecret
           if_data = lv_datepart
        IMPORTING
           ef_hmacxstring = lv_kdate ).
    CATCH cx_abap_message_digest. "
      "Handle error
      RETURN.
  ENDTRY.

  DATA: lv_kregion TYPE xstring.
  TRY.
      cl_abap_hmac=>calculate_hmac_for_char(
        EXPORTING
           if_algorithm = 'SHA256'
           if_key = lv_kdate
           if_data = lv_region
        IMPORTING
             ef_hmacxstring = lv_kregion ).
    CATCH cx_abap_message_digest.
      "Handle error
      RETURN.
  ENDTRY.

  DATA: lv_kservice TYPE xstring.
  TRY.
      cl_abap_hmac=>calculate_hmac_for_char(
         EXPORTING
           if_algorithm = 'SHA256'
           if_key = lv_kregion
           if_data = lv_service
           IMPORTING
             ef_hmacxstring = lv_kservice ).
    CATCH cx_abap_message_digest.
      "Handle error
      RETURN.
  ENDTRY.

  DATA: lv_ksigningkey TYPE xstring.
  TRY.
      cl_abap_hmac=>calculate_hmac_for_char(
         EXPORTING
           if_algorithm = 'SHA256'
           if_key = lv_kservice
           if_data = 'aws4_request'
         IMPORTING
             ef_hmacxstring = lv_ksigningkey ).
    CATCH cx_abap_message_digest.
      "Handle error
      RETURN.
  ENDTRY.

  DATA: lv_stringtosign TYPE string.

  lv_stringtosign = 'AWS4-HMAC-SHA256' && lv_lf &&
                   lv_awsdate && lv_lf &&
                   lv_datepart && '/' &&
                   lv_region && '/' &&
                   lv_service && '/aws4_request' && lv_lf &&
                   lv_canonical_request_hash.

  DATA: lv_ssignature TYPE string.

  TRY.
      cl_abap_hmac=>calculate_hmac_for_char(
         EXPORTING
           if_algorithm = 'SHA256'
           if_key = lv_ksigningkey
           if_data = lv_stringtosign
         IMPORTING
           ef_hmacstring = lv_ssignature ).
    CATCH cx_abap_message_digest.
      "Handle error
      RETURN.
  ENDTRY.

  TRANSLATE lv_ssignature TO LOWER CASE.

  DATA: lv_authorization_header TYPE string.

  lv_authorization_header = 'AWS4-HMAC-SHA256 Credential=' &&
                            lv_accesskey && '/' &&
                            lv_credential_scope &&
                            ', SignedHeaders=' &&
                            lv_canonical_header_names &&
                            ', Signature=' &&
                            lv_ssignature.

  DATA: ls_token_request TYPE t_token_request.

  ls_token_request-url = 'https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15'.
  ls_token_request-method = 'POST'.

  DATA: ls_header_field TYPE t_header_field.
  ls_header_field-key = 'Authorization'.
  ls_header_field-value = lv_authorization_header.
  APPEND ls_header_field TO ls_token_request-headers.

  CLEAR: ls_header_field.
  ls_header_field-key = 'host'.
  ls_header_field-value = 'sts.amazonaws.com'.
  APPEND ls_header_field TO ls_token_request-headers.

  CLEAR: ls_header_field.
  ls_header_field-key = 'x-amz-date'.
  ls_header_field-value = lv_awsdate.
  APPEND ls_header_field TO ls_token_request-headers.

  CLEAR: ls_header_field.
  ls_header_field-key = 'x-goog-cloud-target-resource'.
  ls_header_field-value = '//iam.googleapis.com/projects/' &&
                               ls_key-project_id &&
                               '/locations/global/workloadIdentityPools/' &&
                               ls_key-auth_param1 &&
                               '/providers/' &&
                               ls_key-auth_param2.
  APPEND ls_header_field TO ls_token_request-headers.

  cv_token = /ui2/cl_json=>serialize(  ls_token_request ).
  cv_token_type = 'urn:ietf:params:aws:token-type:aws4_request'.

ENDMETHOD.
ENDCLASS.

Azure 

class ZCL_AUTH_WIF_AZURE definition
  public
  inheriting from /GOOG/CL_AUTH_WIF_BASE
  final
  create public .

public section.
protected section.

  methods GET_EXT_IDP_TOKEN
    redefinition .
private section.
ENDCLASS.



CLASS ZCL_AUTH_WIF_AZURE IMPLEMENTATION.


  METHOD GET_EXT_IDP_TOKEN.
**********************************************************************
*  Copyright 2024 Google LLC                                         *
*                                                                    *
*  Licensed under the Apache License, Version 2.0 (the "License");   *
*  you may not use this file except in compliance with the License.  *
*  You may obtain a copy of the License at                           *
*      https://www.apache.org/licenses/LICENSE-2.0                   *
*  Unless required by applicable law or agreed to in writing,        *
*  software distributed under the License is distributed on an       *
*  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,      *
*  either express or implied.                                        *
*  See the License for the specific language governing permissions   *
*  and limitations under the License.                                *
**********************************************************************

    TYPES:
      BEGIN OF t_azure_resp,
        access_token TYPE string,
      END OF t_azure_resp.

    DATA: lo_client TYPE REF TO if_http_client.

    DATA: lv_url type string.
    lv_url = 'http://169.254.169.254/metadata/identity/oauth2/token?resource=<APP_ID_URI>&api-version=2018-02-01'.
    "Replace <APP_ID_URI> with the value of Application ID URI of the application that you've configured for workload identity federation.

    cl_http_client=>create_by_url(
       EXPORTING
         url                        = lv_url
       IMPORTING
         client                     = lo_client
       EXCEPTIONS
         argument_not_found         = 1
         plugin_not_active          = 2
         internal_error             = 3
         pse_not_found              = 4
         pse_not_distrib            = 5
         pse_errors                 = 6
         oa2c_set_token_error       = 7
         oa2c_missing_authorization = 8
         oa2c_invalid_config        = 9
         oa2c_invalid_parameters    = 10
         oa2c_invalid_scope         = 11
         oa2c_invalid_grant         = 12
         OTHERS                     = 13 ).

    IF sy-subrc <> 0.
      RETURN.
    ENDIF.

    lo_client->request->set_method( 'GET' ).
    lo_client->request->set_header_field( name = 'Metadata' value = 'true' ).

    lo_client->send(
      EXCEPTIONS
        http_communication_failure = 1
        http_invalid_state         = 2
        http_processing_failed     = 3
        http_invalid_timeout       = 4
        OTHERS                     = 5 ).

    lo_client->propertytype_logon_popup = lo_client->co_disabled.

    lo_client->receive(
      EXCEPTIONS
      http_communication_failure = 1
      http_invalid_state         = 2
      http_processing_failed     = 3 ).

    DATA: lv_json TYPE string.

    lv_json = lo_client->response->get_cdata( ).

    DATA: ls_azure_resp TYPE t_azure_resp.

    /goog/cl_json=>deserialize(
      EXPORTING
        json             = lv_json
      CHANGING
        data             = ls_azure_resp ).
    cv_token = ls_azure_resp-access_token.
    cv_token_type = 'urn:ietf:params:oauth:token-type:jwt'.

  ENDMETHOD.
ENDCLASS.

Configure client key

  1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

    Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

  2. Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.
  3. Click New Entries.

  4. Enter values for the following fields:

    Field Description
    Google Cloud Key Name Specify a name of the client key configuration.
    Google Cloud Service Account Name Leave this field blank.
    Google Cloud Scope Leave this field blank.
    Google Cloud Project Identifier Specify the ID of the Google Cloud project where you created the workload identity pool.
    Command name Leave this field blank.
    Authorization Class Specify the authentication class, which contains the implementation of the method GET_EXT_IDP_TOKEN.
    Token Caching Leave this field blank.
    Token Refresh Seconds Leave this field blank.
    Authorization Parameter 1 Specify the workload identity pool ID.
    Authorization Parameter 2 Specify the workload identity provider ID.

  5. Save the entry.

Authenticate to Google Workspace APIs using OAuth 2.0 client credentials

To authenticate to Google Workspace APIs using OAuth 2.0 client credentials, you need to complete the following configurations in your Google Cloud project and your SAP landscape:

Google Cloud console configurations

SAP landscape configurations

The ABAP SDK for Google Cloud is shipped with the following core components, which are required for the OAuth 2.0 client credentials based authentication:

  • OAuth 2.0 service provider type /GOOG/ABAP_SDK that you specify for your OAuth 2.0 client profile configuration.
  • Authentication class /GOOG/CL_OAUTH_GOOGLE that you specify for the client key configuration.
  • SAP Business Add-Ins (BAdIs) implementations that pre-populate Google specific OAuth parameters such as endpoints and required parameter settings.

However, you also need to complete the following configurations in your SAP landscape:

The OAuth consent screen is a prompt that tells users who's requesting access to their data and what kind of data users are allowing your app to access.

  1. In the Google Cloud console, go to Menu  > APIs & Services  > OAuth consent screen.

    Go to OAuth consent screen

  2. Select the External user type for your app, and click Create.

  3. To complete the app registration form, specify the following details:

    • App name: the name of the application that requires consent.
    • User support email: a support email for users to contact you with questions about their consent.
    • Authorized domains: the domains to be used during OAuth consent.
    • Developer contact information: the email addresses for Google to notify you about any changes to your project.

  4. Click Save and Continue.

Create OAuth 2.0 client ID credentials

To authenticate as an end user and access user data in your app, you need to create one or more OAuth 2.0 Client IDs. A client ID is used to identify a single app to Google's OAuth servers.

  1. In the Google Cloud console, go to Menu  > APIs & Services  > Credentials.

    Go to Credentials

  2. Click Create Credentials > OAuth client ID.

  3. In the Application type field, select Web application.

  4. In the Name field, type a name for the credentials. This name is shown only in the Google Cloud console.

  5. Under Authorized redirect URIs, click Add URI. Then, enter your SAP redirection URI to which the OAuth 2.0 server can send responses.

    You can get the SAP redirection URI from the OAuth 2.0 settings in your SICF transaction.

  6. Click Create.

  7. Make a note of the Client ID and the Client secret.

Create OAuth 2.0 client profile

As an ABAP developer, you create an OAuth client profile with the OAuth 2.0 scopes that are required for your business requirements. For information about the OAuth 2.0 scopes for the Google APIs, see OAuth 2.0 Scopes for Google APIs.

A sample OAuth client profile /GOOG/OAUTH_PROFILE_SAMPLE is shipped with the SDK, with the OAuth 2.0 scopes configured for Google Sheets API.

  1. In the SAP GUI, enter transaction code SE80.
  2. From the drop down list, select Development Object.
  3. To create a development object in the custom namespace, select Create  > Others  > OAuth 2.0 Client Profile in the context menu of the object name.

  4. Enter the following details:

    • In the Client Profile field, enter a name of the client profile.
    • In the Type field, select /GOOG/ABAP_SDK. This is the default provider type shipped with the ABAP SDK for Google Cloud.

  5. Add the necessary scopes to your client profile. For information about the OAuth 2.0 scopes, see OAuth 2.0 Scopes for Google APIs.

  6. Save the client profile to your development package. Include the client profile in a transport request, which can be transported to higher environments.

Configure OAuth 2.0 client

As an SAP administrator, you associate the OAuth client profile with the Google Cloud client credentials.

This is a onetime activity that you need to perform on every SAP system in your SAP landscape (Development, Testing, and Production).

  1. In the SAP GUI, enter transaction code OA2C_CONFIG. The SAP login page opens in your default browser.
  2. Log in with your SAP credentials.
  3. To create an OAuth 2.0 client, click Create.
  4. In the Create a new OAuth 2.0 client dialog box:
    1. Select the OAuth 2.0 client profile that you created earlier in Create OAuth 2.0 client profile in your SAP system.
    2. Enter a configuration name.
    3. Enter the OAuth 2.0 Client ID from Google Cloud credentials that you created earlier in Create OAuth 2.0 client ID credentials.
    4. Click OK.
  5. On the Administration tab, in the General Setting section, enter the client secret from the Google Cloud credentials that you created earlier in Create OAuth 2.0 client ID credentials.

  6. If you are using a proxy server to route the outbound HTTP/HTTPS traffic from your SAP system, then you need to maintain the following proxy host details in the Access Settings section:

    • Proxy host
    • Proxy port
    • Proxy user
    • Proxy password

  7. Click Save.

Configure client key

  1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

    Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

  2. Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.
  3. Click New Entries.

  4. Enter values for the following fields:

    Field Description
    Google Cloud Key Name Specify a name of the client key configuration.
    Google Cloud Service Account Name Leave this field blank.
    Google Cloud Scope Leave this field blank.
    Google Cloud Project Identifier Specify the ID of the Google Cloud project that contains your target APIs.
    Command name Leave this field blank.
    Authorization Class Specify the authentication class, /GOOG/CL_OAUTH_GOOGLE.
    Token Caching Leave this field blank.
    Token Refresh Seconds Leave this field blank.
    Authorization Parameter 1 Specify the name of the OAuth client profile that you created earlier in Create OAuth 2.0 client profile in your SAP system.
    Authorization Parameter 2

    Specify the configuration name that you defined in the OAuth 2.0 client for a client ID.

    This field is mandatory if you have associated a single OAuth client profile with more than one client ID.

    For more information, see Multiple Google Cloud projects scenario.

  5. Save the new entry.

Request OAuth 2.0 access tokens

As an end user, you need to request an OAuth 2.0 access token to allow access to the API resources.

This is a onetime activity that each user needs to perform on every SAP system in your SAP landscape (Development, Testing, and Production). In case the OAuth scopes are modified, then users need to repeat this activity.

  1. In the SAP GUI, enter transaction code OA2C_GRANT. The SAP login page opens in your default browser.
  2. Log in with your SAP credentials.
  3. Select the client ID with which you want to access the APIs.
  4. Click Request OAuth 2.0 Tokens.

  5. In the Sign in with Google consent screen, enter your Google account credentials and click Allow.

    A green indicator in the Access Status column indicates access to the API resources is allowed as per the OAuth 2.0 client profile.

Multiple Google Cloud projects scenario

If you have enabled your Google Cloud APIs in more than one Google Cloud project, then follow this guidance for setting up authentication using OAuth 2.0 client credentials:

Authenticate using API key stored in SAP SSF

The high-level configuration steps are as follows:

Create an API key

For authentication using API key, you need to create an API key. An API key string is an encrypted string, for example, AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe. ABAP SDK for Google Cloud uses the API key string in HTTP request to securely authenticate when calling a Google Cloud API.

Google Cloud provides multiple ways to create API keys.

To create API keys using the Google Cloud console, perform the following steps:

  1. In the Google Cloud console, go to the Credentials page:

    Go to Credentials

  2. Click Create Credentials and select API key from the menu.

    • The API key created dialog displays the API key string. Copy your key string and keep it secure. You need this API key to configure authentication to Google Cloud.

    • By default, API keys are unrestricted. We recommended that you restrict API keys by selecting the APIs to which this API key can be used. For more information about adding API restrictions, see Add API restrictions.

Store the API key in SSF

The ABAP SDK for Google Cloud provides an option to securely store API keys using the SAP Secure Store and Forward mechanism (SSF).

By using the SSF option, you can store the API Key in an encrypted format in the table /GOOG/APIKEY_BIN. When an API is called, the API key would be retrieved from the table /GOOG/APIKEY_BIN, decrypted, and appended to the API endpoint URI.

For security purposes, you cannot view the contents of /GOOG/APIKEY_BIN using standard tools, transactions such as SE16, SE16N, or SE11.

Prerequisites

For authentication using API key stored in SAP SSF, you must have version 8.5 and above of the SAP Cryptographic Library installed in your SAP system. For more information about SAP Cryptographic Library, see 1848999 - Central Note for CommonCryptoLib 8 (SAPCRYPTOLIB) and 397175 - SAP Cryptographic software - export control.

To verify the version of SAP Cryptographic Library, perform the following steps:

  1. In the SAP GUI, enter transaction code STRUST.
  2. Go to the Environment menu, and then click Display SSF Version.

Set up SSF application

In the table SSFAPPLIC, create a new SSF application ZG_APK that encrypts the API key. ZG_APK is the default SSF application name.

Alternatively, you can create an SSF application with your preferred name or use an existing SSF application that has a different name. If you want to use a different SSF application for encryption, then you need to configure the SSF application name in Authorization Parameter 1 of the client key table.

To create a new entry in the table SSFAPPLIC, perform the following steps:

  1. In the SAP GUI, enter transaction code SE16.
  2. In the Table Name field, enter SSFAPPLIC, and then create a new entry.
  3. In the APPLIC field, enter ZG_APK.

  4. Specify values in the following fields.

    Field Value
    APPLIC ZG_APK
    B_TOOLKIT Select the flag.
    B_FORMAT Select the flag.
    B_PAB Select the flag.
    B_PROFID Select the flag.
    B_PROFILE Select the flag.
    B_HASHALG Leave this field blank.
    B_ENCRALG Leave this field blank.
    B_INCCERTS Leave this field blank.
    B_DETACHED Leave this field blank.
    B_ASKPWD Leave this field blank.
    B_DISTRIB Select the flag.
    DESCRIPT API Key Encryption for GCP

  5. Save the new entry.

Create SSF parameters

  1. In the SAP GUI, enter transaction code SM30.

  2. Open the view VSSFARGS.

  3. For application ZG_APK (API Key Encryption for GCP), create a new entry. The application specific SSF parameters are automatically populated.

  4. Save the new entry.

Create a Personal Security Environment (PSE)

  1. In the SAP GUI, enter transaction code STRUST.

  2. Under node SSF API Key Encryption for GCP, right-click and select Create.

  3. In the Algorithm field, select RSA. Leave other fields with system-populated default values.

  4. Save the new entry.

Store the API key

  1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

    Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

  2. Click ABAP SDK for Google Cloud > Basic Settings > Configure API Key (Using SSF).

  3. In the Google Key Name, enter the name of the client key configuration.

  4. In the API Key field, enter the API key that you created earlier in Create an API key.

  5. Select Save.

  6. Click Execute to store the API key.

Configure client key

  1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

    Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

  2. Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.

  3. Click New Entries.

  4. Enter values for the following fields:

    Field Description
    Google Cloud Key Name Specify a name of the client key configuration. For example, DEMO_API_KEY.
    Google Cloud Service Account Name Leave this field blank.
    Google Cloud Scope Specify the API access scope, https://www.googleapis.com/auth/cloud-platform.
    Project ID Specify the ID of the Google Cloud project that contains your target APIs.
    Command name Leave this field blank.
    Authorization Class Specify the authorization class, /GOOG/CL_AUTH_API_KEY_SSF.
    Token Caching

    The flag that determines whether or not the access tokens retrieved from Google Cloud are cached.

    We recommend that you enable token caching after you are done configuring and testing your connection to Google Cloud. For more information about token caching, see Enable token caching.
    Token Refresh Seconds Specify the amount of time, in seconds, before an access token expires and must be refreshed. The default value is 3500.
    Authorization Parameter 1 If the SSF application name is different from ZG_APK, then specify your SSF application name.
    Authorization Parameter 2 Leave this field blank.

  5. Save the new entry.

Create new RFC destinations

For the APIs that you plan to consume using the ABAP SDK for Google Cloud, create new RFC destinations.

For information about creating RFC destinations, see RFC destinations.

If RFC destinations are not created and configured, the ABAP SDK for Google Cloud functions using the default API endpoints maintained in individual API client stubs.

Configure service mapping

Configure the service mapping table for the APIs that you plan to consume using the ABAP SDK for Google Cloud.

  1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

    Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

  2. Click ABAP SDK for Google Cloud > Basic Settings > Configure Service Mapping.

  3. Click New Entries.

  4. Specify RFC destinations for the APIs that you plan to use, for example, addressvalidation v1. If you're going to consume other APIs, then specify RFC destinations for those APIs.

    Name Service Name RFC Destination
    Google Cloud Key Name addressvalidation:v1 ZGOOG_ADDRVALDN_V1

  5. Save the new entry.

Delete an API key

If an API key is no longer used, then you can delete the API key from your SAP system.

To delete an API key, peRForm the following steps:

  1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

    Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

  2. Click ABAP SDK for Google Cloud > Basic Settings > Configure API Key (Using SSF).

  3. In the Google Key Name field, enter the name of the client key configuration.

  4. Select Delete.

  5. Click Execute to delete the API key.

Authenticate using API key stored in Secret Manager

The high-level configuration steps are as follows:

Create an API key

For authentication using API key, you need to create an API key. An API key string is an encrypted string, for example, AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe. ABAP SDK for Google Cloud uses the API key string in HTTP request to securely authenticate when calling a Google Cloud API.

Google Cloud provides multiple ways to create API keys.

To create API keys using the Google Cloud console, perform the following steps:

  1. In the Google Cloud console, go to the Credentials page:

    Go to Credentials

  2. Click Create Credentials and select API key from the menu.

    • The API key created dialog displays the API key string. Copy your key string and keep it secure. You need this API key to configure authentication to Google Cloud.

    • By default, API keys are unrestricted. We recommended that you restrict API keys by selecting the APIs to which this API key can be used. For more information about adding API restrictions, see Add API restrictions.

Create a secret and store the API key

The ABAP SDK for Google Cloud provides an option to securely store API keys using the Secret Manager service of Google Cloud. For securely storing API key strings, Secret Manager enables you to follow the best practices for securely using API keys.

To create a secret and store the API key, perform the following steps:

  1. Enable the Secret Manager API.

    Go to API library

  2. In Google Cloud console, create a secret, and store the API key as the latest version.

    Go to Secret manager

For information about how to create a secret, see Create a secret.

The ABAP SDK for Google Cloud by default retrieves only the latest version of a secret.

Configure client key for Secret Manager access

Secret Manager APIs use tokens for authentication. So you need to set up token based authentication to access Secret Manager APIs depending on your SAP deployment.

Use one of the following methods to set up token based authentication to access Secret Manager APIs:

Note down the client key name that you created for Secret Manager access.

Configure client key for the secret

  1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

    Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

  2. Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.

  3. Click New Entries.

  4. Enter values for the following fields:

    Field Description
    Google Cloud Key Name Specify a name of the client key configuration. For example, DEMO_API_KEY.
    Google Cloud Service Account Name Leave this field blank.
    Google Cloud Scope Specify the API access scope, https://www.googleapis.com/auth/cloud-platform.
    Project ID Specify the ID of the Google Cloud project that contains your target APIs.
    Command name Leave this field blank.
    Authorization Class Specify /GOOG/CL_AUTH_API_KEY_SM.
    Token Caching

    The flag that determines whether or not the access tokens retrieved from Google Cloud are cached.

    We recommend that you enable token caching after you are done configuring and testing your connection to Google Cloud. For more information about token caching, see Enable token caching.
    Token Refresh Seconds Specify the amount of time, in seconds, before an access token expires and must be refreshed. The default value is 3500.
    Authorization Parameter 1 Specify the name of the client key that you've created for Secret Manager access. For example, CLIENT_KEY_SM.
    Authorization Parameter 2 Specify the name of the secret, which has the API key stored. For example, TEST_SECRET.

  5. Save the new entry.

Create new RFC destinations

For the APIs that you plan to consume using the ABAP SDK for Google Cloud, create new RFC destinations.

For information about creating RFC destinations, see RFC destinations.

If RFC destinations are not created and configured, the ABAP SDK for Google Cloud functions using the default API endpoints maintained in individual API client stubs.

Configure service mapping

Configure the service mapping table for the APIs that you plan to consume using the ABAP SDK for Google Cloud.

  1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

    Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

  2. Click ABAP SDK for Google Cloud > Basic Settings > Configure Service Mapping.

  3. Click New Entries.

  4. Specify RFC destinations for the APIs that you plan to use, for example, addressvalidation v1. If you're going to consume other APIs, then specify RFC destinations for those APIs.

    Name Service Name RFC Destination
    Google Cloud Key Name addressvalidation:v1 ZGOOG_ADDRVALDN_V1

  5. Save the new entry.

Validate API key retrieval from Secret Manager

To validate API key retrieval from Secret Manager, perform the following steps:

  1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

    Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

  2. Click ABAP SDK for Google Cloud > Utilities > Validate API key retrieval (Using Secret Manager).
  3. Specify the client key name.
  4. Click Execute to check if the API key is retrieved successfully from Secret Manager.

Validate authentication configuration

To validate the authentication configuration, perform the following steps:

  1. In SAP GUI, execute the transaction code /GOOG/SDK_IMG.

    Alternatively, execute the transaction code SPRO, and then click SAP Reference IMG.

  2. Click ABAP SDK for Google Cloud > Utilities > Validate Authentication Configuration.

  3. Enter the client key name.

  4. Click Execute to check if the overall flow is configured successfully.

    A green check in the Result column indicates that all configurations steps are completed successfully.

Get support

If you need help resolving problems with the ABAP SDK for Google Cloud, then do the following: